Zero-day or the unknown flaws that lead to hacks

Zero-day is a menacing term for any vendor or user of software in question. First of all, it has a dual meaning. It can refer to previously undetected software vulnerabilities or the code hackers use to exploit those weak points. Cybersecurity specialists always emphasize the importance of swift response to immediate threats. In the case of zero-day vulnerabilities, vendors, developers, and the general public are unaware of the problem. Hence, the bug might exist for years before detection. In the meantime, hackers or government institutions could secretly exploit those security holes.

What is zero-day?

The meaning of “zero-day” slightly differs depending on the context in which it appears.

• A zero-day vulnerability essentially refers to a bug or flaw in specific software. It is high on the severity scale because, typically, no one, including vendors, knows about it. Thus, the principle here is that 0-day flaws are yet unknown to the software developers and the public.

Imagine accidentally leaving a window wide open before leaving for your vacation. It is an instant threat to your home and your belongings. Without your knowledge, thieves could secretly climb through the window. However, it all depends on whether anyone will take a closer look at your house to find the open window.

The same principle applies here. Zero-day vulnerabilities might exist for a long time, but their actual severity and fallout revolves around who are the ones to discover them.

• A zero-day exploit is the code that takes advantage of the zero-day vulnerability. It typically relates to the question of whether attackers actively exploit the flaw. With the penetration technique designed, the threat is no longer theoretical. Attackers could successfully exploit the weakness and conduct a zero-day attack. The latter refers to the attempt to use the penetration technique against the flawed system.

Let’s return to the open window example. Say criminals notice it, but surprise: it is the second-floor window. Then, the criminals get creative, pose as construction crew, and use the ladder to get inside unnoticed. In this case, the open window is the zero-day vulnerability: it represents the potential for an attack. The ladder and the disguise represent the 0-day exploit: the tools used to exploit the open window.

How dangerous are zero-day flaws and exploits?

According to a Ponemon Institute study, about 80% of successful endpoint attacks happen thanks to zero-day exploits. It all comes down to the element of surprise and catching software owners and their clients off-guard. Exploiting an unpatched and undetected vulnerability is the ultimate goal. After all, it increases the chances that the attack will slide through all the protection measures in place.

Basically, almost every company on the map has had to deal with zero-day flaws. Here are some of the most recent examples:

• Apple recently patched a zero-day flaw affecting iPads, iPhones, and Apple Watches. Attackers were already exploiting the vulnerability, discovered by Google’s security researchers, in the wild. The flaw gave criminals a chance to steal sensitive information, conduct phishing scams, initiate drive-by-download attacks, and manipulate the appearance of websites.
• A major bomb dropped when a researcher named Rajvardhan Agarwal shared a working zero-day exploit on Twitter. The penetration technique targeted Google Chrome and potentially other Chromium-based browsers. At the time of the post, Google was aware of the flaw but had not released a patch yet. Thus, the working zero-day exploit could have allowed attackers to run malicious code on targets’ computers until then.
• Researchers also have recently detected 0-day flaws in Zoom. The critical vulnerability allowed attackers to run remote code execution (RCE) without users’ input. Since Zoom is yet to resolve it with a patch, most technical details about the zero-day flaw are unknown. In the meantime, researchers recommend using the browser version of Zoom as the vulnerability does not affect it.

Some dishonorable mentions include Operation Aurora, Stuxnet, and RSA zero-day attacks.

• Stuxnet was a malicious worm that exploited flaws in Siemens software. Thanks to it, the worm caused issues in India, Iran, and Indonesia.
• The incident in RSA revolved around attackers exploiting vulnerable Adobe Flash Player to gain access to the RSA network.
• Operation Aurora was a 0-day attack that took advantage of the zero-day flaws in Internet Explorer and Perforce. The malicious operation aimed to steal the intellectual property of major enterprises like Google, Adobe, Yahoo!, and Dow Chemicals.

Who exploits zero-day flaws?

There are multiple groups of people that might take advantage of zero-day vulnerabilities. Not all of them have ill intentions, but, sadly, many of them do.

• White-hat security specialists might be the ones who discover the flaw. Then, they contact the vendor to report it. Sometimes, they might also include demonstrations of the possible penetration techniques. Additionally, many bug bounty programs offer prize money for finding zero-day flaws or exploits.
• If hackers or other criminals are the first to find the flaw, the situation becomes more severe. They might try to craft 0-day exploits and secretly compromise the security of vulnerable systems. What is more, they might sell such information on the black market. Thus, there are guides on how to abuse software flaws by using various intrusion techniques on sale.
• Government agencies or other authorities might also express interest in zero-day flaws and exploits. They may fund specific projects in hopes of discovering vulnerabilities. However, many specialists emphasize that governments might not participate in resolving such flaws. As reported in 2016, The National Security Agency kept the information on detected vulnerabilities secret. The belief is that the agency kept flaws under wraps to exploit them for hacking people’s computers.

Final notes

No guaranteed solution could fully resolve 0-day flaws and exploits. Vulnerabilities are bound to appear, and whether they can cause real damage depends on several factors.

One is whether the flaw is exploitable (can entities produce an exploit). The second one refers to the actual people that discover the vulnerability. If it is the vendors or white-hat security specialists, it is possible to resolve the issue in a timely manner. However, if hackers or other malicious parties are the ones to make the discovery, they can secretly abuse it.

On the vendors’ part, they should be proactively looking for security holes in their systems. It could be done via penetration testing or improving their threat mitigation techniques. As a user, there is not much you can do to defend against zero-day flaws. However, once developers patch them, it is your responsibility to update your software as soon as possible.